Shredders, and especially automatic shredders, are a convenient, efficient way to ensure your information security and avoid identity theft. In this day and age, it may also be necessary for your business or organization to shred paper or destroy CDs or other media in order to comply with a variety of federal and state regulations.
How can you tell what level of corporate or personal security a specific shredder will provide? Will using a specific type of shredder meet the standards of any relevant information security regulations?
In the United States, those regulations might include:
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Economic Espionage Act of 1996
- Gramm-Leach-Bliley Act of 1999 (GLBA)
- Fair Credit Reporting Act of 2001 (FCRA)
- Sarbanes-Oxley Act of 2002 (SOX)
- Fair and Accurate Credit Transactions Act of 2003 (FACTA)
All of these regulations place the responsibility on the business or organization to ensure that documents containing sensitive or personal information are properly destroyed, but none of these specify a shred or particle size. Instead, they require that organizations have adequate written data protection policies and procedures.
For example, the Final Disposal Rule of the Fair and Accurate Credit Transaction Act (FACTA) does not prescribe a particle size that must be achieved when shredding paper, it simply states that organizations “must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”
It suggests those reasonable methods would include shredding papers containing consumer information “so that the information cannot practicably be read or reconstructed.”
It sets the same standard for electronic media containing consumer information, saying it should be destroyed or erased “so that the information cannot practicably be read or reconstructed.”
Shredder output depends on two things:
- Cutting format (strip- or cross-cut, for example)
- The size of the individual pieces of shredded material the shredder produces
In general, the smaller the size of the shredded pieces, the more difficult they are to reconstruct. Also, cross-cut shredder output is generally more difficult to reconstruct than strip-cut.
You will find that many manufacturers refer to a DIN security rating. Deutsche Industrial Norm is Germany’s national standards body and its standard has been adopted by manufacturers in the UK, but this standard does not correspond with US regulations.
The DIN standard specifies maximum strip or particle size for each of six security levels. Level 1 allows a maximum strip size of 12mm or a particle size of 11 X 40mm. By any standard, this provides a low level of security against a determined information thief. Each level above 1 permits a smaller strip or particle size. The three highest levels do not include strip waste at all. Level 6 allows a maximum particle size of 0.8 X 4mm.
You will find that recommendations vary as to the appropriate applications for each security level in the DIN standard, and in other standards created by various organizations.
Here’s one more factor to consider: ease of use. The easier it is for you or your team to follow your procedures, the more likely it is that they will be followed consistently. For that reason, if you do a lot of shredding it is worth looking into an auto-feed shredder. The auto-feed feature allows you to load the papers to be shredded and then carry on with other important business while the shredder destroys sensitive documents.
In the end, information security is a process and your shredder is only a part of that process. Only you can determine the appropriate shredder for your individual or organizational needs. Reviewing your personal or organizational procedures will help you determine an acceptable maximum strip or particle size. But a good rule of thumb is to purchase a shredder that not only conforms to your maximum, but produces the smallest strips or particles from among the shredders that are within your budget.